... since rss clients can't fill in the html form rendered by FormClientCallback. For instance, Safari 4 hangs when trying to retrieve feeds generated by the RSS Aggregator, and of one uses an external rss client, it will fail to register the feed with a 401, not showing a username/password box, since all it gets is indeed a 401 and the FreeMarker-rendered login page.

This happens when authentication is needed to access the resource; on windows, it seems that this only shows up if the user previously logs out from Magnolia, while on osx, it's more obvious, as apparently the session cookie is not shared.

If one changes the authentication callback to BasicClientCallback, then it all works as expected.

The default uriSecurity callbacks should probably use a pattern delegating (as setup by demo-project for instance), so that other modules could insert their own configuration too. (WebDAV would be a candidate, since it currently replaces the URISecurityFilter for the same purposes)